1. Field of the Invention
The present invention relates generally to data processing environments and, more particularly, to a hierarchical permission system providing methodology for cumulative limit checks for financial services entitlements systems.
2. Description of the Background Art
In the area of financial services, there is a common need for authorizing individuals having particular roles in an organization to perform a number of different functions or operations. The process of defining roles includes: (1) representing the hierarchy of an organization, and (2) associating that hierarchy with specific employees and employee types. What is special about financial services is that these roles are not only attached to specific functions (i.e., specific operations, such as being able to initiate a wire transfer or an automated clearing house (ACH) transaction), but also with a function on a particular object, such as being able to perform a wire transaction on a specific account. Also important in the area of financial services is the notion of controlling access to objects regardless of function. Therefore, in addition to a role-based hierarchy for business users and business employees, there is a need for provisioning both functions and objects. Particularly important is the notion of overlaying both of those mechanisms with limit checks.
Limit checks may be explained as follows. Once employees are provisioned for certain functions and objects, a business typically wants employees of a particular position to perform certain operations on behalf of the business. Accordingly, the business at that point will authorize employees of a given position or role to perform the operations, but will also establish limits (i.e., limitations) on performing the operations. Typically, the business will define that an employee of a given position or role is allowed to perform operations up to a particular limit (e.g., a dollar amount). For example, a given user may be authorized to sign checks, but only up to a certain amount (e.g., less than or equal to $1000). The limit checks themselves may be defined as a static per-transaction limit, a cumulative limit over a period of time and/or a combined cumulative per-transaction and per-object limit over a period of time.
Given this backdrop, businesses need to be able to successfully represent and manage a hierarchy to perform functions and to grant permission for functions, as well as object-based permissions thereof, and businesses need to be able to attach limits to these functions and limits to these objects. Additionally, businesses need to be able to specify whether a given limit is a transaction-based limit or an object-related limit. For instance, a business might need to specify: “Employee A is authorized to perform wire transactions up to $1,000.” However, the business might also need the ability to specify that Employee A is authorized to perform wire transactions of up to $1,000 on a certain account. The specification of authority granted to particular employees or groups may grow more complex in order to meet the needs of a business. For example, the business might also need the ability to specify that Employee A is authorized to perform wire transactions on a certain account subject to the following limits: up to $1,000 of wires per day, up to $10,000 of wires per month, and up to $30,000 of wires per quarter. In addition to basic limit checks in the foregoing example, the business may also need to establish cumulative limit tracking for groups of employees, including tracking on a per period basis. Periods are typically daily, weekly, monthly, quarterly, annually, or the like. For example, all members of a given account payable group may only be authorized for a total of up to $10,000 of wires per week.
Today, there are a number of hierarchical role based systems that exist, in the context of database systems and in the context of permission-based systems. None of those available systems, however, have an effective, flexible, highly efficient mechanism to maintain control of hierarchical limit checks for both functions and objects. Therefore, although database and permission-based systems are available to define hierarchical roles, none of them have the ability to flexibly and efficiently implement limit checks.
All told, there are a wide range of financial activities that may be performed through the hierarchy of roles that a business may establish. What is needed is a solution that allows businesses to authorize activities through a hierarchy of roles while also establishing and enforcing limits among multiple dimensions, thereby allowing constraint processing in a manner that achieves the business goals desired. The solution should allow multiple dimensions to be processed in different combinations along the lines of users and their groups, along the lines of hierarchical groups, along the lines of time periods, and along the lines of objects and functions (including monetary limits). The present invention provides a solution for these and other needs.